Register Allocation Mooly Sagiv html://msagiv/courses/wcc05.html.
The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.
-
date post
20-Dec-2015 -
Category
Documents
-
view
222 -
download
1
Transcript of The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.
![Page 1: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/1.jpg)
The Simplify Theorem Prover
Greg Nelson, Dave Detlefs and Jim Saxe
Mooly Sagiv
![Page 2: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/2.jpg)
Bibliography
• Nelson & OppenSimplification by Cooperating Decision ProceduresTOPLAS 1980
• Tinelli & ZarbaCombining non-stably infinite theoriesJournal of Automated Reasoning, 2006
• Simplify: A Theorem Prover for Program CheckingDavid Detlefs, Greg Nelson, James B. SaxeJACM 2005
• Verifun: An Explicating Theorem Prover for Quantified FormulasCormac Flanagan, Rajeev Joshi, James B. Saxe
HPL-2004-199• Zap: Automated Theorem Proving for Software Analysis
Thomas Ball, Shuvendu K. Lahiri, Madanlal MusuvathiMSR Technical Report 2005
![Page 3: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/3.jpg)
The Simplify Theorem Prover
• Proof by Refutation
• Incomplete & Sometimes diverges
• Supports– Full first order logic
• Skolemization• Incomplete treatment of universal quantifications
– Special theories• EUF• Theory of arrays• Relational Linear Algebra (The Simplex)
– Incomplete treatment multiplication• Partial orders
– Combination of theories– New axioms
• Very successful: used as the engine in many checkers:– ESC/Modula3, ESC/Java, SLAM, ...
![Page 4: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/4.jpg)
Outline
• Search strategy (propositional)
• [Specialized theories]– EUF– Arrays– Simplex
• Combining theories
• Handling quantifiers
• Recent systems– Verifun– ZAP
![Page 5: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/5.jpg)
Simplify search strategy
• Somewhat naive
• Top down guessing of truth values with backtracking
• Finds implied truth values
• “Lazy” conversion to CNFUse “Proxies”
• Scored clauses
• Goal oriented
![Page 6: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/6.jpg)
Example
a=b
f(a) f(b) b=c
f(a) f(c)
Inconsistency detected by the EUF procedure so backtrack
![Page 7: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/7.jpg)
Example
a=b
f(a) f(b) b=c
f(a) f(c)
Inconsistent with EUF
Report UNSAT
![Page 8: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/8.jpg)
Combining Decision Procedures
• Programming languages combine different features– Arithmetic– Data types– Arrays– …
• Is there a way to compose decision procedures of different theories?
• Given two decidable logics is there a way to combine the logics into a decidable logic?
![Page 9: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/9.jpg)
Cooperating Decision Procedures Nelson & Oppen • Quantifier free
• Proof be refutation
• Separate the conjunct into separate conjunctsA Bsuch that– A and B use different theories– Only constants are shared
• If either A or B is UNSAT report UNSAT
• When A and B are SAT propagate equalities between A and B and repeat
![Page 10: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/10.jpg)
Example Theories
x, y: CAR(CONS(x, y)) = x
x, y: CDR(CONS(x, y)) = y
x: ATOM(x) CONS(CAR(x), CDR(x)) = x
x, y: ATOM(CONS(x, y))
LIST
x, y: x = y f (x) = f(y)EUF
x: x+0 =0
x: x +-x = 0 0 1
x, y, z: (x+y)+z = x + (y+z) 0 1
x, y:x+y = y +x
x: xx
x, y: xy y x
x, y: xyy x x=y
x, y: xyy z xz
x, y,z: xy x+z y+z
R
![Page 11: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/11.jpg)
A Simple Example
xy
yx+g1
g2=g3-g4
g5=0
x y y x + CAR(CONS(0, x)) P(h(x)-h(y)) P(0)
P(g2)=true
P(g5)=false
g3=h(x)
g4=h(y)
g1=CAR(CONS(g5, x))
![Page 12: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/12.jpg)
Non-Convexity
• If one of the theories is UNSAT the original formulas is UNSAT (Soundness)
• But the original formula may be UNSAT and yet no single equality suffices to prove UNSAT
• Happens for theories which imply non-convex equalities T F c1 = c2 c3 = c4 without T F c1 = c2
or T F c3 = c4
• Performs a case split
![Page 13: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/13.jpg)
Example for Case Split
SELECT(UPDATE(v, I, e), j) = x SELECT(v, j)=y x>e x>y
![Page 14: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/14.jpg)
Equality Propagation Procedure
1. Assign conjunctions to FL and FF s.t.,• FF contains only F-literals • FL contains only L-literals• FL FF is satisfiable iff F is satisfiable
2. If either FL or FF is UNSAT report UNSAT
3. If either FL or FF entails equality not entailed by other add this equality and go to step 2
4. If either FL or FF entails u1=v2 u2=v2 … uk=vk without entailing any equality alone then apply the procedure recursively to the k-formulas FL FF vi = uiIf any of these formulas is SAT return SAT
5. Return UNSAT
![Page 15: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/15.jpg)
Notes
• Only equalities are propagated
• Requires that the theories can find all consequent equalities
• Completeness is non-obvious
• The original paper also performs simplification
![Page 16: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/16.jpg)
Convexity
• A formula F is non-convex F entails u1=v2 u2=v2 … uk=vk without entailing any equality alone– Otherwise it is convex
• A theory is convex
• Convex theories– EUF– Relational linear algebra
• Non-convex theories– Theory of arrays– Theory of reals under multiplications
xy =0z=0 R x=z y=z– Theory of integers under + and
![Page 17: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/17.jpg)
Hints about Completeness• The residues of formula
– The strongest Boolean combinations of equalities between constants entailed by the formula
x=f(a)y=f(b) a=b x=y
x+y-a-b>0 (x=ay=b) (x=by=a)
x=STORE(v, u, e)[j] i=j x=e
x=STORE(v, u, e)[j]
y=v[j]
if i=j then x=e else x=y
Lemma 4: If A and B are formulas whose only common parameters are constant symbols then RES(AB) = RES(A)RES(B)
![Page 18: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/18.jpg)
The residues in the simple example
xy
yx+g1
g2=g3-g4
g5=0
g1=g5x=y
g5=g2g3=g4
x y y x + CAR(CONS(0, x)) P(h(x)-h(y)) P(0)
P(g2)=true
P(g5)=false
g3=h(x)
g4=h(y)
g2g5
x=y g3=g4
g1=CAR(CONS(g5, x))
g1=g5
![Page 19: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/19.jpg)
Handling Quantifiers
• The problem becomes undecidable
• Complete procedures exist and implemented (e.g., SPASS next week)
• Simplify employs incomplete heuristics– Instantiate universal quantifiers with relevant terms– Can be tuned by the user
![Page 20: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/20.jpg)
Instantiating universal quantifiers
• Suppose that 8 x1, …, xn . P is known to hold– For example, because it is an axiom– Or because it is added to the environment during a
backtracking
• We want to find substitutions giving values to x1, …,xn such that (P) will be useful in the proof
![Page 21: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/21.jpg)
General idea in matching
• Pick a term t from P called a trigger (sometimes pattern)
• Instantiate P with a substitution if (t) is a term that the prover is likely to require information about
• Separately implemented for different theories
• Intuition:– Since P contains the term t, (P) will contain the term (t), and
so it provides information about (t)– This is likely to be useful, since the prover wants information
about (t)
![Page 22: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/22.jpg)
Matching in the E-graph
• The Congruence Graph is called E-graph
• Match triggers into equivalence classes
• For every occurrence of the trigger in the E-graph assert the corresponding instance– Adds terms and equalities
![Page 23: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/23.jpg)
Example
• Assume 8 x,y: car(cons(x,y)) = x
• Prove cons(a, b) = cons(c, d)) a=c
• First trigger “car(cons(x,y)”
• Second trigger “cons(x,y)”
![Page 24: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/24.jpg)
Choosing a trigger
• Heuristically important
• Liberal (small) triggers– Too many terms– Sometimes infinite loops
• Conservative (large) triggers– May fail to prove the theorem
• The user can provide– Candidate triggers– Candidate untriggers
![Page 25: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/25.jpg)
Triggers as sets of terms
• Sometimes single trigger is not enoughs, t, x: member(x, s) subset(s, t) member(x,t)
• Use sets of terms as triggers {member(x, s), subset(s, t)}
![Page 26: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/26.jpg)
Matching in the E-graph (example)
• Assume 8 x:f(x) = x [trigger f(x)] 8 x:g(g(x) = x [trigger g(g(x))]
• Prove g(f(g(a))) = a
![Page 27: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/27.jpg)
Matching Loops
• Repeated applications of matching
• Example x: P(f(x), f(g(x)) [Trigger f(x)]
• Can be sometimes avoided by:– Check if the body of the quantifier contains a larger
instance of the term– Alternate matching and decisions– User input
![Page 28: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/28.jpg)
Limitations of matching
• Matching loops
• Not goal oriented
• Limitations of the theories(x: P(x+1)) P(1+a)
![Page 29: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/29.jpg)
Simplify experience
• Handles large formulas
• Robust
• In many cases complete enough
• Fully automatic for simple program verification– Cleanness
• Incompleteness in programs– Deep properties– Shape of dynamically allocated structures
• But slow on Boolean combinations
![Page 30: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/30.jpg)
Verifun : A Theorem Prover UsingLazy Proof Explication• Rajeev Joshi Cormac Flanagan, Jim Saxe and Xinming Ou
• Key ideas:– use SAT solvers to find candidate truth assignments to atomic formulae– have theory modules produce compact “proofs” that are added to the
SAT problem to reject all truth assignments containing the “same” inconsistency
• Requires – proof explicating theory modules
• Uses Simplify Theories extended with Explication and matching
• Implemented in Java (~10,500 lines) and in C (~800 lines)
![Page 31: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/31.jpg)
Zap: Automated Theorem Proving for Software Analysis
• Thomas Ball, Shuvendu Lahiri, Madanlal Musuvati (MSR)
• Use a SAT algorithm for the search procedure
• Use Nelson&Oppen to combine theories
• Develop new decision procedures
• Use quantifier matching
• Add features for program analysis
![Page 32: The Simplify Theorem Prover Greg Nelson, Dave Detlefs and Jim Saxe Mooly Sagiv.](https://reader035.fdocuments.in/reader035/viewer/2022062300/56649d535503460f94a2f858/html5/thumbnails/32.jpg)
Conclusion
• Handling specialized theories yields significant improvements– Efficiency– Termination– Predictability
• Combination procedures are useful
• But resolution based theorem provers can still br superior in several cases